Using iptables, how to limit connections for IP range and browser's string?

Question

Daily once, the following IP range is sending multiple requests per second. During the attack a strange browser is being used that is mentioned below:

IP Range: 192.168.1.100-192.168.1.200
Port: 80 (Apache web server)   
Browser Name: X11: Crawler

In other times, I receive legitimate traffic (with other browsers) from mentioned IP rage. Therefore, I can't block this IP range completely.

I would like to limit the aggregate connections (of the mentioned IP range only) to 15/minute. Is the following iptable rule correct?

iptables -A INPUT -p tcp --syn  --dport 80    
-m string    --algo bm --string "X11: Crawler"  \    
-m iprange   --src-range 192.168.1.100-192.168.1.200  \    
-m connlimit --connlimit-above 15/minute --connlimit-mask 32  \    
-j REJECT --reject-with tcp-reset

score 0 · Answer 1 · answered Sep 18 '18 at 05:27

0

i think this working

iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT

if you want banned IP range change ACCEPT with DROP

answered Sep 18 '18 at 05:27

Reza Beygi

1

I think we both need to study more and learn about this topic. – jehan Sep 19 '18 at 04:41

Using iptables, how to limit connections for IP range and browser's string?

1 Answers1